cracking the perimeter with sharpshooter
play

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 - PowerPoint PPT Presentation

Mar 10, 2024 •335 likes •802 views

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami Dominic Chell: Offensive Security @ MDSec Responsible for *BEST, STAR and TIBER services Twitter : @domchell Projects: SharpShooter LyncSniper

  1. Cracking the Perimeter with SharpShooter Dominic Chell June 2019

  2. # whoami • Dominic Chell: • Offensive Security @ MDSec • Responsible for *BEST, STAR and TIBER services • Twitter : @domchell • Projects: • SharpShooter • LyncSniper • SharpPack • PowerDNS • Chameleon

  3. OUTLINE • Background • “Free Styling” with SharpShooter • SharpShooter Overview • Exploring AMSI • Reconnaissance • Macro Support • Delivery • Tradecraft • Sandbox Evasion • Detection / Prevention • Staging

  4. BACKGROUND • Establishing initial access can often be complex • Increased focus from defenders on PowerShell attacks • Easy to signature both statically and with process spawn chains • AMSI provides engines direct access to memory • Rise of sandboxing tech, “Next Gen Anti-Virus”, EDR and EDP • Increased difficulties introducing payloads to environments • Red teaming is getting harder!

  5. OVERVIEW: SharpShooter • Internally developed tool; SharpShooter • Successful on a number of adversary simulations • Some success in bypassing traditional and “Next Gen” security controls

  6. OVERVIEW: SharpShooter

  7. OVERVIEW: SharpShooter • Staged and stageless payload creation framework for Windows based Scripting file formats: • HTML Applications • JavaScript • VBScript • Windows Script Files • VBA and Excel4 Macro Support • Arbitrary execution of CSharp source • Anti-Sandboxing and HTML Smuggling

  8. OVERVIEW: SharpShooter • Script payloads execute DotNet using DotNetToJScript • Staged payloads: • Arbitrary CSharp source code is retrieved via DNS or web • CSharp source code is compiled and executed using reflection

  9. RECONNAISSANCE • Targeted reconnaissance provides better chance of success • Payload should be targeted for correct version of DotNet framework • If executing in-process shellcode, it should correspond to the target’s architecture • Alternatively, an x86 process can be spawned and injected in to

  10. RECONNAISSANCE • Reconnaissance e-mail with image and system profiling links • Embed in e-mail: <img src=“http://attacker.net/logo.png?uid=1234” /> • Monitor web logs for results: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.6366; ms-office; MSOffice 16)

  11. DELIVERY • Delivery can leverage the “HTML smuggling” technique from @buffaloverflow • RC4 encrypted file decrypted in the browser using JavaScript’s WebCrypto APIs • navigator.mssaveBlob forces the browser to save the decrypted blob locally • Proxy sees text/html or attachment rather than the content type of the payload (e.g. text/vbscript ) • SharpShooter provides two pre-defined template examples

  12. SANDBOX EVASION • Attempts to avoid automated analysis, inspired by CheckPlease: • Domain keying • Domain member • Sandbox artefacts • Bad MACs • Debugging

  13. SANDBOX EVASION • Obtaining Active Directory name example:

  14. SANDBOX EVASION • Obtaining Active Directory name example:

  15. DEMO: PALO ALTO TRAPS

  16. DETECTION STATUS • Shortly after release signatures began to emerge • Defender AMSI signature detects all DotNetToJScript • Proclaimed dead by @subTee

  17. DETECTION STATUS

  18. DETECTION STATUS

  19. SharpShooter RESURRECTION

  20. ANTIMALWARE SCAN INTERFACE • Microsoft introduced AMSI in Windows 10 • Standard interface to provide file, memory and stream scanning for any application • Analysis at the scripting engine therefore access to the plain, deobfuscated code • Supported in PowerShell, Windows Script Host, JavaScript and VBScript and Office VBA macros

  21. ANTIMALWARE SCAN INTERFACE

  22. ANTIMALWARE SCAN INTERFACE

  23. ANTIMALWARE SCAN INTERFACE • Mid-April 2018 @subTee released “SquiblyTwo” attack • Script execution through Stylesheets using wmic.exe • Defender AMSI did not trigger

  24. COM STAGING • Updates to SharpShooter to include “COM Staging” and XSL / SCT generation • Several known COM methods allow command execution: • Outlook.CreateObject, • WScript.Run, • Shellbrowserwindow.Document.Application.Run, • WMI StartWin32Process • Leverage COM to execute wmic.exe or regsvr32.exe on the command line to perform “Squiblydoo” and “SquiblyTwo” attacks

  25. COM STAGING COM Interface wmic.exe / Remotely Hosted HTA, JS, VBS (Outlook, WScript, regsvr32.exe XSL or SCT WMI etc)

  26. FREE STYLING WITH SharpShooter

  27. FREE STYLING WITH SharpShooter • Research in to COM objects supporting XSL processing identified Microsoft.XMLDOM interface • Inline and remotely hosted transformation of XML against a given stylesheet, providing following benefits: • No command line execution, • Regsvr32.exe has known IOCs e.g. User-Agent, • XSL retrieval via HTTP/HTTPS • AMSI not supported in scriptlets; added early 2019 • Later used by @bohops to bypass WDAC in CVE-2018-8492

  28. FREE STYLING WITH SharpShooter

  29. DEMO: WINDOWS DEFENDER XSL

  30. AMSI BYPASSES • @Tal_Liberman discovered an AMSI bypass using the “ AmsiEnable ” registry key ( HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable ) • Requires the user to “open” the payload twice: • First pass checks the registry to determine if the key is set and if not set it • Second pass opens the payload from the user’s download folder

  31. AMSI BYPASSES

  32. AMSI BYPASSES • @tiraniddo discovered a DLL hijacking vulnerability in AMSI • The technique prevents LoadLibrary from loading the AMSI.dll by convincing it that it’s already loaded • The scripting engine is unable to find the AMSI DLL exports and fails safe • Copy wscript.exe to known location with name amsi.dll and run the script file

  33. AMSI BYPASSES • @Tal_Liberman discovered another bypass in AMSI by patching the amsi.dll ’s exported functions • AmsiScanBuffer handles the buffer that is being scanned • Function patched in memory to return AMSI_RESULT_CLEAN • mov eax, 0x80070057; retn

  34. DEMO: DEFENDER AMSI BYPASS

  35. MACRO SUPPORT • In Feb 2019, SharpShooter added additional support for VBA and Excel 4.0 macros • VBA support introduced using XMLDOM and XSL technique • @StanHacked discovered a legacy feature of Office to execute macros using Excel 4.0 • Excel 4.0 does not support AMSI and not recognised by many EDR/EDP solutions • SharpShooter generates an SLK file to directly execute shellcode in Excel

  36. DEMO: MACRO EXECUTION

  37. TRADECRAFT • Default SharpShooter templates do not employ OpSec tradecraft, stageless template: • Allocates memory EXECUTE_READWRITE for shellcode execution • Executes shellcode “in process”, e.g. mshta.exe performing C2 • Spawns from the default parent, e.g. wscript.exe launched from chrome.exe • Indicators discussed in detail by defenders: • https://countercept.com/blog/analyzing-sharpshooter-part-1/ • https://countercept.com/blog/analyzing-sharpshooter-part-2/

  38. TRADECRAFT • Reducing memory indicators is a trivial step: • Firstly allocate memory using PAGE_READWRITE • Reset the page permissions to PAGE_EXECUTE_READ using VirtualProtect

  39. TRADECRAFT • Reducing process indicators can be achieved using injection: • Spawn innocuous process e.g. iexplore.exe • Inject shellcode using chosen technique, e.g. ALPC , SetThreadContext , CreateRemoteThread etc.

  40. TRADECRAFT • Parent PID spoofing can be performed using UpdateProcThreadAttribute • CreateProcess using STARTUPINFOEX struct

  41. DEMO: TRADECRAFT

  42. DETECTION • Staged mode CSharp compilation using CodeDom with the CompilerParameters.GenerateInMemory = true; parameter • Command line logging: • csc.exe invocation • nslookup.exe for DNS delivery • Modifications to AmsiEnable registry key for AMSI bypasses

  43. PREVENTION • Endpoint prevention strategies: • Device Guard code integrity policy • Application whitelisting, block mshta.exe etc. • Modify default handlers for scripting extensions • Network: • Outbound DNS filtering • Monitor for HTML Smuggling, e.g. WebCrypto APIs

  44. CONCLUSIONS • Windows Scripting file formats provide a number of interesting opportunities for initial access • Leveraging COM these can be harnessed for code execution using scriptlets and execution cradles • Creating weaponised tools raises ethical dilemmas, particularly when observed in the wild • Red team research/tooling can however provide a rare opportunity to raise the bar in detection at scale

  45. REFERENCES • SharpShooter available from https://github.com/ mdsecactivebreach/SharpShooter • Thanks to the following people: • @tiraniddo: DotNetToJScript • @Arno0x0x: EmbedInHTML • @buffaloverflow: Demiguise • @arvanaghi and @ChrisTruncer: CheckPlease • @subTee: Squiblydoo/Two • @StanHacked: Excel4.0 research

  46. QUESTIONS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Subtraction Starter: 1. 4573 - 1282 = 2. 7808 - 1921 = 3. Amy has saved 45.37 in her piggy

Subtraction Starter: 1. 4573 - 1282 = 2. 7808 - 1921 = 3. Amy has saved 45.37 in her piggy

Area and Perimeter.notebook May 13, 2020 Steps To Success: LO - To calculate the perimeter I can calculate the perimeter of a 2D shape by adding all of its sides together of a range of 2D shapes I can accurately measure the lengths of a 2D

1.18k views • 65 slides
Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay

Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay

Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay Brain T2-Hyperintensity Sachs Stem Pelizaeus- B12 Metabolism U-Fibres Merzbacher Hypomyelination T1-Hypointensity CSF Salla LEUKODYSTROPHY

918 views • 62 slides
IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code:

IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code:

IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code: Value for Money Rickard Mills Council Member, IAPF THANK YOU SPONSOR Cracking the DC Code: Value for Money HOUSEKEEPING Cracking the DC Code:

1.04k views • 54 slides
twenty six diagonal cracking shear f c http://www.bam.de concrete construction:

twenty six diagonal cracking shear f c http://www.bam.de concrete construction:

A RCHITECTURAL S TRUCTURES : Concrete in Compression F ORM, B EHAVIOR, AND D ESIGN ARCH 331 crushing D R. A NNE N ICHOLS vertical cracking S PRING 2018 tension lecture twenty six diagonal cracking shear f c

137 views • 3 slides
The perimeter and area of both a rhombus and a parallelogram can be found by applying the

The perimeter and area of both a rhombus and a parallelogram can be found by applying the

D AY 118 P ERIMETER AND AREA OF A RHOMBUS AND A PARALLELOGRAM ON XY - PLANE I NTRODUCTION The perimeter and area of rhombi and parallelograms have been dealt with in earlier lessons. Both the area and perimeter of these quadrilaterals can

437 views • 15 slides
DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger

DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger

DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger Pirk Eleni Petraki Strato Idreos Stefan Manegold Martin Kersten EVALUATING RANGE PREDICATES COMPLEXITY ON PAPER Scanning: O(n) Sorting:

910 views • 43 slides
Cracking Wireless Ryan Curtin LUG@GT Ryan Curtin Cracking Wireless - p. 1 Goals By the end of

Cracking Wireless Ryan Curtin LUG@GT Ryan Curtin Cracking Wireless - p. 1 Goals By the end of

Cracking Wireless Ryan Curtin LUG@GT Ryan Curtin Cracking Wireless - p. 1 Goals By the end of this presentation (if you stay awake), you will: Goals Setting Up Checking Injection Understand the different types of wireless keys

447 views • 13 slides
Designing for durability and strength Cracking &amp; durability Local studies on corrosion &amp;

Designing for durability and strength Cracking &amp; durability Local studies on corrosion &amp;

Designing for durability and strength Cracking &amp; durability Local studies on corrosion &amp; cracking Other aspects Presented by: Professor Mark Alexander Concrete Materials and Structural Integrity Research Unit (CoMSIRU)

718 views • 29 slides
PicoCrack: The Art of Efficient Cracking FPGAs (Field Programmable Gate Arrays) allow custom

PicoCrack: The Art of Efficient Cracking FPGAs (Field Programmable Gate Arrays) allow custom

PicoCrack: The Art of Efficient Cracking FPGAs (Field Programmable Gate Arrays) allow custom silicon to be implemented easily. The result is a chip that can be built specifically for cracking passwords. This presentation focuses on uncovering

606 views • 47 slides
From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO

From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO

From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO AT&amp;T eamoroso@att.com Page 1 Sandbags Piled in Front of AT&amp;T Building 12/15/41 Page 2 Original Perimeter Objective (Circa 1995)

946 views • 61 slides
Distributed GPU password cracking Alexander Kasabov &amp; Jochem van Kerkwijk System and

Distributed GPU password cracking Alexander Kasabov &amp; Jochem van Kerkwijk System and

Distributed GPU password cracking Alexander Kasabov &amp; Jochem van Kerkwijk System and Network Engineering { akasabov | jkerkwijk } @os3.nl February 2, 2011 Outline Introduction Password cracking Graphics processing unit Distributed

501 views • 16 slides
Physical and Metallurgical Analysis Aids in Understanding Recovery Boiler Tube Cracking

Physical and Metallurgical Analysis Aids in Understanding Recovery Boiler Tube Cracking

Physical and Metallurgical Analysis Aids in Understanding Recovery Boiler Tube Cracking November, 2014 PdM Technology Infrared Thermography Gas Find IR Example of LNG Leak Safety Minute Economizer Tube Cracking Assessment

447 views • 18 slides
PERIMETER CENTER ZONING CITY OF DUNWOODY Welcome Project introduction Image

PERIMETER CENTER ZONING CITY OF DUNWOODY Welcome Project introduction Image

PERIMETER CENTER ZONING CITY OF DUNWOODY Welcome Project introduction Image preference exercise Next steps Agenda Craft new zoning/design standards Focus on unique character of perimeter center Implement

404 views • 14 slides
ramp. Photo 2. Looking along the guardrail. Cracking has protruded through asphalt patch,

ramp. Photo 2. Looking along the guardrail. Cracking has protruded through asphalt patch,

SHOP SLIDE Photo 1. Cracking across the footpath at the end of the Hwy 2 off ramp. Photo 2. Looking along the guardrail. Cracking has protruded through asphalt patch, with a drop depression in the asphalt and significant bow in the

247 views • 10 slides
Rufus King Park: Additional Entrances and Perimeter Fence Reconstruction Located located along

Rufus King Park: Additional Entrances and Perimeter Fence Reconstruction Located located along

Rufus King Park: Additional Entrances and Perimeter Fence Reconstruction Located located along Jamaica Avenue between 150th &amp; 153rd Streets, in the Borough of Queens. October 31, 2016 Parks Capital Design Grand Central Parkway Perimeter

615 views • 28 slides
Seamless Asphalt Pavement Preservation Featuring Types of asphalt failure Alligator cracking

Seamless Asphalt Pavement Preservation Featuring Types of asphalt failure Alligator cracking

36 th Annual Utah Asphalt Conference Seamless Asphalt Pavement Preservation Featuring Types of asphalt failure Alligator cracking Joint cracking Raveling Rutting Potholes Typical Repair Approaches Sawcut, removal, and

445 views • 27 slides
Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University /

Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University /

Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University / Google 1 About this presentation Date: 19 April 2012 Conference: WWW 2012 Feel free to contact me URL: http://ly.tl/p23 if you have any question

916 views • 27 slides
uProxy: a Social Proxy for your Browser Raymond Cheng, Will Scott, Aaron Gallant, Tom Anderson,

uProxy: a Social Proxy for your Browser Raymond Cheng, Will Scott, Aaron Gallant, Tom Anderson,

uProxy: a Social Proxy for your Browser Raymond Cheng, Will Scott, Aaron Gallant, Tom Anderson, Arvind Krishnamurthy University of Washington Seattle, WA, USA with help from our friends at Google Ideas 1/19 Takeaways Users need more

563 views • 24 slides
Who Am I?

Who Am I?

2/23/2012 HTML5 Top 10 Threats Stealth Attacks and Silent Exploits Shreeraj Shah

681 views • 46 slides
Announcements Schedule Web security part 1 today, part

Announcements Schedule Web security part 1 today, part

Announcements Schedule Web security part 1 today, part 2 in two weeks Next week: guest lecture by David Parter on Oct 15

749 views • 36 slides
Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project

Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project

Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. History 13th General Elections HTTP was

612 views • 34 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT Software Ltd. WAFERs: Overview An application model for HTML + JavaScript content Requires no changes to an existing HTML document Only

233 views • 7 slides
CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA CRITICAL

CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA CRITICAL

CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA CRITICAL INFRASTRUCTURE PROTECTION, RESEARCH LEADER THE SPITFIRE MEMORIAL DEFENCE FELLOW UNSW CANBERRA @ ADFA E.SITNIKOVA@ADFA.EDU.AU BACKGROUND

731 views • 22 slides

More recommend